All Products
Search
Document Center

Virtual Private Cloud:Overview of network ACLs

Last Updated:Mar 26, 2024

Network access control lists (ACLs) allow you to implement access control for a virtual private cloud (VPC). You can create network ACL rules and associate a network ACL with a vSwitch. This allows you to control inbound and outbound traffic of Elastic Compute Service (ECS) instances that are attached to the vSwitch.

网络ACL概览

Features and supported regions

Area

Region

Asia Pacific

China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), China (Wuhan - Local Region), China (Fuzhou - Local Region), Japan (Tokyo), South Korea (Seoul), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), and India (Mumbai)

Europe & Americas

Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia)

Middle East

UAE (Dubai) and Saudi Arabia (Riyadh)

Important

The SAU (Riyadh) region is operated by a partner.

Features

  • A network ACL is used to filter inbound and outbound network traffic of ECS instances that are attached to the vSwitch with which the network ACL is associated. The network traffic forwarded to ECS instances by a Server Load Balancer (SLB) instance is also filtered.

    Note

    The network traffic of an ECS instance is not filtered by a network ACL in the following scenario: The ECS instance is associated with a secondary elastic network interface (ENI) and the secondary ENI is associated with an elastic IP address (EIP) in cut-through mode. For more information, see Associate an EIP with a secondary ENI in cut-through mode.

  • Network ACLs are stateless. If you configure an inbound rule that allows traffic, you must also configure a corresponding outbound rule. Otherwise, the system may fail to respond to requests.

  • If you create a network ACL that does not contain a rule, all inbound traffic and outbound traffic are denied.

  • If a network ACL is associated with a vSwitch, the network ACL does not filter the traffic forwarded between ECS instances that are attached to the vSwitch.

  • DNS servers supported by network ACLs are: 100.100.2.136/32 and 100.100.2.138/32. The Metaserver supported by network ACLs is: 100.100.100.200/32.

Descriptions

Before you create outbound and inbound rules, take note of the following rules.

  • After you add a rule to or delete a rule from a network ACL, the change applies to the vSwitch associated with the network ACL.

  • Before you add an inbound or outbound rule of the IPv6 type, you must first assign an IPv6 CIDR block to the VPC to which the network ACL belongs.

  • IPv6 network ACLs are available only in the Philippines (Manila) region.

  • If DHCP options sets are configured, you must add the IP address of the trusted DNS server to the inbound or outbound rule. If no rule is added, services associated with DHCP options sets may be affected.

  • If the VPC to which a network ACL belongs is assigned both IPv4 and IPv6 CIDR blocks, the following default inbound and outbound rules are used:

    • Two deny rules with the lowest priority are created for the system in each direction. You cannot modify or delete the rules.

    • Three allow rules with the highest priority are created for cloud services in each direction. You cannot modify or delete the rules.

    • Two custom allow rules are created in each direction. You can delete the inbound and outbound rules. If you delete the rules, VPC traffic may be denied. Proceed with caution.

    The following table describes the default rules.

    Note

    The default inbound and outbound rules in the following table are available only in the Philippines (Manila) region. In other regions, only one custom rule of the IPv4 type is created.

    • Default inbound rule

      Priority

      Protocol

      Source IP Address

      Destination Port Range

      Action

      Type

      *

      ALL

      100.100.2.128/28

      0:65535

      Allow

      Cloud service

      *

      ALL

      100.100.2.112/28

      0:65535

      Allow

      Cloud service

      *

      ALL

      100.100.100.200/32

      0:65535

      Allow

      Cloud service

      1

      ALL

      0.0.0.0/0

      -1/-1

      Allow

      Custom

      2

      ALL

      ::/0

      -1/-1

      Allow

      Custom

      *

      ALL

      0.0.0.0/0

      0:65535

      Deny

      System

      *

      ALL

      ::/0

      0:65535

      Deny

      System

    • Default outbound rule

      Priority

      Protocol

      Destination IP Address

      Destination Port Range

      Action

      Type

      *

      ALL

      100.100.2.128/28

      0:65535

      Allow

      Cloud service

      *

      ALL

      100.100.2.112/28

      0:65535

      Allow

      Cloud service

      *

      ALL

      100.100.100.200/32

      0:65535

      Allow

      Cloud service

      1

      ALL

      0.0.0.0/0

      -1/-1

      Allow

      Custom

      2

      ALL

      ::/0

      -1/-1

      Allow

      Custom

      *

      ALL

      0.0.0.0/0

      0:65535

      Deny

      System

      *

      ALL

      ::/0

      0:65535

      Deny

      System

A rule of a network ACL contains the following parameters:

  • Priority: the priority of the rule. A smaller value specifies a higher priority. The system matches requests against rules in descending order of priority. Rule 1 has the highest priority. If a request matches a rule, the system applies the rule to the request and ignores the other rules.

    For example, the following rules are added to a network ACL and requests destined for IP address 172.16.0.1 are sent from an ECS instance. In this case, the requests match Rules 2 and 3. Rule 2 has a higher priority than Rule 3. Therefore, the system applies Rule 2. Based on the action of Rule 2, the requests are denied.

    Priority

    Protocol

    Destination IP Address

    Destination Port Range

    Action

    Type

    1

    ALL

    10.0.0.0/8

    -1/-1

    Allow

    Custom

    2

    ALL

    172.16.0.0/12

    -1/-1

    Deny

    Custom

    3

    ALL

    172.16.0.0/12

    -1/-1

    Allow

    Custom

  • Action: the action to be performed on specific traffic.

  • Protocol: the protocol of traffic. Valid values:

    • ALL If you select ALL, you cannot specify a port range. The port range is set to -1/-1, which specifies all ports.

    • ICMP If you select this protocol, you cannot specify a port range. The port range is set to -1/-1, which specifies all ports.

    • GRE If you select this protocol, you cannot specify a port range. The port range is set to -1/-1, which specifies all ports.

    • TCP If you select this protocol, valid port numbers are 1 to 65535. Valid formats: 1/200 and 80/80. Do not set the value to -1/-1.

    • UDP Valid values: 1 to 65535. Valid formats: 1/200 and 80/80. Do not set the value to -1/-1.

    • ICMPv6 If you select ALL, you cannot specify a port range. The port range is set to -1/-1, which specifies all ports.

  • Source IP Address: the source IP addresses from which inbound traffic is transmitted. This parameter is available only when you configure an inbound rule.

  • Destination IP Address: the destination IP addresses to which outbound traffic is transmitted. This parameter is available only when you configure an outbound rule.

  • Destination Port Range: the range of destination ports to which the inbound rule applies.

  • Destination Port Range: the range of destination ports to which the outbound rule applies.

Comparison between network ACLs and security groups

Network ACLs control data transmitted through associated vSwitches while security groups control data transmitted through associated ECS instances. The following table describes the differences between network ACLs and security groups.

Item

Network ACL

Security group

Application scope

vSwitch.

ECS instance.

Status of response traffic

Stateless: Returned traffic must be allowed by inbound rules.

Stateful: Returned traffic is automatically allowed and not affected by rules.

Whether rules are evaluated

The system matches a request against rules in descending order of priority. Not all rules are matched.

The system matches a request against all rules before a rule is applied.

Association with ECS instances

The vSwitch to which an ECS instance belongs can be associated with only one network ACL.

Each ECS instance can be added to more than one security group.

The following figure shows how network ACLs and security groups are applied to ensure network security.

网络ACL和安全组提供的安全层

Limits

Name

Description

Default value

Adjustable

vpc_quota_nacl_ingress_entry

Maximum number of rules that can be added to a network ACL

20

You can request a quota increase by using one of the following methods:

vpc_quota_nacl_egress_entry

Maximum number of rules that can be added to a network ACL

20

nacl_quota_vpc_create_count

Maximum number of network ACLs that can be created in each VPC

20

No

N/A

VPCs that do not support network ACLs

If a VPC contains an ECS instance of the following instance families, the VPC does not support network ACLs:

ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4.

For more information, see Advanced VPC features.

If your Elastic Compute Service (ECS) instance does not support advanced virtual private cloud (VPC) features, upgrade or release the ECS instance.
Note

If a VPC contains an ECS instance of the specified instance families and the network ACL feature is enabled, you must upgrade or release the ECS instance for the network ACL to work as expected.

Procedure

网络ACL配置流程

For more information, see Create and manage a network ACL.